Home > Mac administration, Mac OS X, Scripting, System Integrity Protection > Configuring System Integrity Protection without booting to Recovery HD

Configuring System Integrity Protection without booting to Recovery HD

One interesting part of Apple’s developer documentation for System Integrity Protection (SIP) is the note shown below, indicating that it’s possible to configure SIP for environments that can’t access Recovery.

Apple developer documentation for configuring SIP outside recovery

When I followed up with Apple about this, I was told that this meant I could configure it using NetBoot, using a NetBoot set that included the needed Recovery environment.

The example used was leveraging a new option in System Image Utility to create a package-only installation NetBoot set.

System image utility package only installation

This new type of NetBoot set is is designed to install only scripts, configuration profiles and packages as opposed to installing an OS. For more details, see below the jump.

To test this, I wrote a script that uses csrutil netboot add to add two IP addresses to the NetBoot whitelist.


Csrutil netboot add script


Once I had my script written, I built a package-only NetBoot set using System Image Utility and added the script to it.

Adding script to packages only netboot set

Once completed, I booted a VM running OS X El Capitan from the NetBoot set to verify that the process works.

To demonstrate how the process looks, I’ve made a video showing the following process:

  1. Running csrutil status and csrutil netboot list to show that the Mac has SIP enabled, but no entries in the NetBoot whitelist.
  2. NetBooting the VM from the packages-only NetBoot set
  3. The NetBoot set running the script and rebooting
  4. Running csrutil status to show that the Mac has SIP enabled and now also has the two IP addresses added to the NetBoot whitelist.


Note: The video has been edited to artificially reduce the amount of time it took to NetBoot and restart.

  1. hatingfruit
    October 5, 2015 at 11:11 pm

    Could this be included during install of El Cap? So if you were upgrading(or fresh re-image) from say 10.10 to 10.11, could you install the netboot whitelist script at the same time? Otherwise if you are already on 10.11 and need to use bless to target a netboot set, isn’t this already a moot point?

  2. Chris G
    October 5, 2015 at 11:47 pm

    Hi Rich,

    Apple did a lot of work on System Image Utility. You can now set it erase and auto run, install files, scripts, apps and profiles in a netinstall. Those features were there in the past but I never got them working.

    The auto run OS install (net install ) is great, but it won’t erase an encrypted HD.


  3. Ashish
    October 20, 2015 at 2:29 pm

    Is it possible to add /usr/sbin/fdesetup in /etc/sudoer? i tried that but it didn’t work. There could be possibilities i am doing something wrong. Your help would be great.

  4. Maurits
    November 17, 2015 at 11:31 am

    Rich, I used Apple Remote Desktop to tell a client to boot from a NetInstall server, and that worked as before SIP. (with the known issue that the ARD management mac must be in the same VLAN, with same NetInstall servers visible to make this work).
    This is probably allowed because ARD is ‘trusted’ software (?! I am guessing here)
    That may be easier than your script in SIU.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: